Hi I was trying to find information regarding data collectio

Question

Hi I was trying to find information regarding data collection Do you perhaps have any information about that And maybe osquerys take on GDPR

alessandrogario · Answer

Is this maybe more like a fleet management solution question about maybe audit logs and things automatically acquired on user machines osquery itself is just a data collection tool and what you acquire depends on what kind of queries are being run and where a server a personal machine or a company laptop

alessandrogario · Answer

You may also have extensions installed that include additional capabilities not covered by the core tables

A · Answer

I was thinking of if I download the app on a mac does my data that is collected end up in the cloud or such slightly smiling face

alessandrogario · Answer

It is up to you or the person that configures osquery

alessandrogario · Answer

It does not send anything anywhere on its own

alessandrogario · Answer

`osqueryi` or `osqueryd S` works as a shell and does 0 logging

alessandrogario · Answer

`osqueryd` in daemon mode only logs to file system

A · Answer

Perfect Thank you for the info fyi < Daniel >

alessandrogario · Answer

but sensitive data if any is likely in the results log and that depends on what queries are running

alessandrogario · Answer

queries are run from query packs from adhoc queries through a fleet management solution such as Kolide or fleetdm

A · Answer

We are looking for an alternative for sysmon but for Mac

alessandrogario · Answer

from distributed queries also from fleet management solution and from the extension socket other osquery shells connecting to it or osquery extensions providing additional functionality

alessandrogario · Answer

it all requires configuration and the admin deploying osquery should probably know what is happening in the deployment

A · Answer

Awesome

alessandrogario · Answer

I don t think osquery can replace sysmon but the endpoint security based tables could provide some of the same features

A · Answer

i mean sysmon does not work for mac only windows we just want to see the same data in splunk for mac clients

alessandrogario · Answer

You can see what can be gathered from endpoint security here <https osquery io schema 5 2 2 es process events>

alessandrogario · Answer

I know that file integrity monitoring also based on endpoint security is being worked on < sharvil> is the main dev on these two

alessandrogario · Answer

There are other older tables based on openbsm I am not sure whether they are still working right now but i think the API is being deprecated

alessandrogario · Answer

If we are talking about process events you could capture things in the parameters that could be considered private information

alessandrogario · Answer

For FIM you would be looking at files opened which would also I think fall in the same category

alessandrogario · Answer

I am not an expert on GDPR I think you need consent from the users and possibly you can only store that data within Europe

alessandrogario · Answer

I think you need to talk to a lawyer to be sure and not trust documentation as a precaution

A · Answer

Since the company own the employees computer we re allowed to collect data Such as what is being searched on and what people do on their computer

alessandrogario · Answer

I think it depends potentially on what the computer is doing if it s handling GDPR protected data like customer data for example it s still in scope for GDPR laws

A · Answer

yes indeed

alessandrogario · Answer

Meaning a company laptop may end up leaking GDPR protected data while the employee performs their duty like opening personal records etc

alessandrogario · Answer

So i still suggest to talk to a lawyer

A · Answer

yes slightly smiling face

seph · Answer

As Alessandro said osquery itself does nothing It is a tool for structured data collection The osquery foundation does not maintain any central osquery logging We are not a vendor that provides that service Though many of us do work for vendors that do How osquery is configured is very site specific Both in terms of what data is collected how it s handled and how thoughtful people are about the privacy implications

seph · Answer

Speaking as a Kolide employee eg a vendor we aim to be very transparent and user focused in our data collection I would refer you to <https honest security> for our discussion about these issues

Jason · Answer

As < seph> said since osquery is just a tool and not a service the GDPR implications are entirely dependent on the implementation of of the service or on the IT engineering team implementing osquery Standalone as a downloadable binary it has zero GDPR implications

A · Answer

+1